agenttesla | 66b93d3953720772c3adf5f424c5dc4d5e6a61c7e9d08157ccf8ad9eec069f1c

Analysis

max time kernel
28s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01/03/2023, 07:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

RFQ#00388-SJOMAN ENGINEERING LLC.exe
Size

885KB
MD5

0db685d98e98abaf4214262dec358b6f
SHA1

66b3f2a05061b53ecc5ef881400f1ef30452f2b3
SHA256

66b93d3953720772c3adf5f424c5dc4d5e6a61c7e9d08157ccf8ad9eec069f1c
SHA512

5896e9851f34b82f0a4da16f698b12ccca1c6685480d9dda8de09c51263f0ec8d3e888166453d84e5b0e5f52ef4968d51d2b4410e79421b5153282bb16d8f478
SSDEEP

12288:IKQa8hYsUkIq6HE0rwKfNvhM8fhLsYX8CdClLqbMqcESTQxNqv6nnjqKoeM:IT0p7rFNvhMAsYZduLDPEp26nnjqKoeM

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.kamtechworld.com
Port:
21
Username:
[email protected]
Password:
**noE&0Reh[0

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2032 set thread context of 884	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	39

Program crash 1 IoCs

pid	pid_target	Process	procid_target
112	884	WerFault.exe	39

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe
2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe
2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe
2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe
2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe
2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe
2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe
2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe
2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe
2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe
2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1988	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	28
PID 2032 wrote to memory of 1988	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	28
PID 2032 wrote to memory of 1988	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	28
PID 2032 wrote to memory of 1108	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	29
PID 2032 wrote to memory of 1108	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	29
PID 2032 wrote to memory of 1108	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	29
PID 2032 wrote to memory of 1992	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	30
PID 2032 wrote to memory of 1992	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	30
PID 2032 wrote to memory of 1992	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	30
PID 2032 wrote to memory of 296	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	31
PID 2032 wrote to memory of 296	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	31
PID 2032 wrote to memory of 296	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	31
PID 2032 wrote to memory of 764	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	32
PID 2032 wrote to memory of 764	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	32
PID 2032 wrote to memory of 764	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	32
PID 2032 wrote to memory of 832	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	33
PID 2032 wrote to memory of 832	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	33
PID 2032 wrote to memory of 832	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	33
PID 2032 wrote to memory of 1644	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	34
PID 2032 wrote to memory of 1644	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	34
PID 2032 wrote to memory of 1644	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	34
PID 2032 wrote to memory of 1476	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	35
PID 2032 wrote to memory of 1476	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	35
PID 2032 wrote to memory of 1476	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	35
PID 2032 wrote to memory of 572	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	36
PID 2032 wrote to memory of 572	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	36
PID 2032 wrote to memory of 572	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	36
PID 2032 wrote to memory of 1488	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	37
PID 2032 wrote to memory of 1488	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	37
PID 2032 wrote to memory of 1488	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	37
PID 2032 wrote to memory of 980	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	38
PID 2032 wrote to memory of 980	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	38
PID 2032 wrote to memory of 980	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	38
PID 2032 wrote to memory of 884	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	39
PID 2032 wrote to memory of 884	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	39
PID 2032 wrote to memory of 884	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	39
PID 2032 wrote to memory of 884	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	39
PID 2032 wrote to memory of 884	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	39
PID 2032 wrote to memory of 884	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	39
PID 2032 wrote to memory of 884	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	39
PID 2032 wrote to memory of 884	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	39
PID 2032 wrote to memory of 884	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	39
PID 2032 wrote to memory of 884	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	39
PID 2032 wrote to memory of 884	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	39
PID 2032 wrote to memory of 884	2032	RFQ#00388-SJOMAN ENGINEERING LLC.exe	39
PID 884 wrote to memory of 112	884	SetupUtility.exe	40
PID 884 wrote to memory of 112	884	SetupUtility.exe	40
PID 884 wrote to memory of 112	884	SetupUtility.exe	40
PID 884 wrote to memory of 112	884	SetupUtility.exe	40

C:\Users\Admin\AppData\Local\Temp\RFQ#00388-SJOMAN ENGINEERING LLC.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ#00388-SJOMAN ENGINEERING LLC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
  2⤵
  PID:1988
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
  2⤵
  PID:1108
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
  2⤵
  PID:1992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
  2⤵
  PID:296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
  2⤵
  PID:832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
  2⤵
  PID:1644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  PID:1476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe"
  2⤵
  PID:572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
  2⤵
  PID:1488
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
  2⤵
  PID:980
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 168
    3⤵
    - Program crash
    PID:112

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/884-57-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2032-54-0x0000000000080000-0x0000000000162000-memory.dmp

Filesize
904KB

Download
memory/2032-55-0x0000000002030000-0x00000000020D6000-memory.dmp

Filesize
664KB

Download
memory/2032-56-0x000000001AD70000-0x000000001ADF0000-memory.dmp

Filesize
512KB

Download